research-article

Open access

Automatic Security Assessment of GitHub Actions Workflows

Authors:

Giacomo Benedetti,

Luca Verderame,

Alessio MerloAuthors Info & Claims

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Pages 37 - 45

https://doi.org/10.1145/3560835.3564554

Published: 08 November 2022 Publication History

Abstract

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.

Supplementary Material

MP4 File (scored22-19.mp4)

Presentation video for scored'22 workshop

Download
146.29 MB

References

[1]

Giacomo Benedetti, Luca Verderame, and Alessio Merlo. 2022. Alice in (software supply) chains: risk identification and evaluation. In Quality of Information and Communications Technology. Springer International Publishing, Cham, 281--295. isbn: 978--3-031--14179--9.

[2]

Open Policy Agent contributors. 2022. Open policy agent. Retrieved July 22, 2022 from https://www.openpolicyagent.org.

[3]

Cybersecurity and Infrastructure Security Agency. 2021. Defending Against Software Supply Chain Attacks. Retrieved July 22, 2022 from https://www.cisa .gov/sites/default/files/publications/defending_against_sof tware_supply_ch ain_attacks_508_1.pdf.

[4]

European Union Agency for Cybersecurity. 2021. ENISA threat landscape for supply chain attacks. Publications Office. Retrieved July 22, 2022 from https://d ata.europa.eu/doi/10.2824/168593.

[5]

GitHub. 2022. Automatic token authentication. Retrieved July 22, 2022 from https://docs.github.com/en/actions/security-guides/automatic-token-authen tication.

[6]

GitHub. 2022. GitHub actions. Retrieved July 22, 2022 from https://docs.github .com/en/actions.

[7]

GitHub. 2022. GitHub contexts - github. Retrieved July 22, 2022 from https://d ocs.github.com/en/actions/learn-github-actions/contexts#github-context.

[8]

GitHub. 2022. GitHub contexts - secrets. Retrieved July 22, 2022 from https://d ocs.github.com/en/actions/learn-github-actions/contexts#secrets-context.

[9]

GitHub. 2022. Reusing workflows. Retrieved July 22, 2022 from https://docs.git hub.com/en/actions/using-workflows/reusing-workflows.

[10]

GitHub. 2022. Security hardening for github actions. Retrieved July 22, 2022 from https://docs.github.com/en/actions/security-guides/security-hardening -for-github-actions.

[11]

GitHub. 2022. Security hardening for GitHub actions: restricting permissions for tokens. Retrieved July 22, 2022 from https://docs.github.com/en/actions/se curity-guides/security-hardening-for-github-actions#restricting-permission s-for-tokens.

[12]

GitHub. 2022. Security hardening for GitHub actions: using secrets. Retrieved July 22, 2022 from https://docs.github.com/en/actions/security-guides/security -hardening-for-github-actions#using-secrets.

[13]

GitHub. 2022. Security hardening for github actions: using third-party actions. Retrieved July 22, 2022 from https://docs.github.com/en/actions/security-guid es/security-hardening-for-github-actions#using-third-party-actions.

[14]

GitHub. 2022. Using filters. Retrieved July 22, 2022 from https://docs.github.co m/en/actions/using-workflows/workflow-syntax-for-github-actions#usingfilters.

[15]

GNU. 2020. Bash reference manual - command substitution. https://www.gnu .org/savannah-checkouts/gnu/bash/manual/bash.html#Command-Substituti on.

[16]

GNU. 2020. Bash reference manual - here documents. https://www.gnu.org/sa vannah-checkouts/gnu/bash/manual/bash.html#Here-Documents.

[17]

Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating the reproducibility of npm packages. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), 677--681.

[18]

Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, Tianjiu Zuo, and Atlantic Council of the United States. 2021. Broken trust: lessons from Sunburst. Retrieved July 22, 2022 from https://www.atlanticcouncil.org/in -depth-research-reports/report/broken-trust-lessons-from-sunburst/.

[19]

Neo4j Inc. 2022. Neo4j graph database. Retrieved July 22, 2022 from https://ne o4j.com/product/neo4j-graph-database/

[20]

Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry. 2022. Characterizing the security of github CI workflows. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, (Aug. 2022), 2747--2763. isbn: 978--1--939133--31--1. https://www.usenix.org/conferenc e/usenixsecurity22/presentation/koishybayev.

[21]

Chris Lamb and Stefano Zacchiroli. 2022. Reproducible builds: increasing the integrity of software supply chains. IEEE Software, 39, 2, 62--70. /MS.2021.3073045.

[22]

Magno Logan. 2022. GitHub action runners: analyzing the environment and security in action. Retrieved July 22, 2022 from https://www.trendmicro.com/v info/us/security/news/cybercrime-and-digital-threats/github-action-runner s-analyzing-the-environment-and-security-in-action.

[23]

OWASP. 2020. OWASP Software Component Verification Standard. Retrieved July 22, 2022 from https://owasp.org/www-project-sof tware-component-verif ication-standard/.

[24]

Radware. 2021. Log4shell: critical log4j vulnerability. Retrieved July 22, 2022 from https://www.radware.com/security/threat-advisories-and-attack-repor ts/log4shell-critical-log4j-vulnerability/.

[25]

Scribe. 2022. Gitgat. Retrieved July 22, 2022 from https://github.com/scribe-pu blic/gitgat.

[26]

Thomas Segura. 2022. GitHub actions security best practices. Retrieved July 22, 2022 from https://blog.gitguardian.com/github-actions-security-cheat-sheet/.

[27]

Tinder. 2022. Gh-workflow-auditor. Retrieved July 22, 2022 from https://githu b.com/TinderSec/gh-workflow-auditor.

[28]

Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. 2019. In-toto: providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, (Aug. 2019), 1393--1410. isbn: 978--1- 939133-06--9. https://www.usenix.org/conference/usenixsecurity19/presentat ion/torres-arias.

[29]

Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. 2021. Lastpymile: identifying the discrepancy between sources and packages. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, Athens, Greece, 780--792. isbn: 9781450385626.

Digital Library

Cited By

Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Zhang XMuralee SCherupattamoolayil SMachiry A(2024)On the Effectiveness of Large Language Models for GitHub WorkflowsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664497(1-14)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664497
Schorlemmer TKalu KChigges LKo KIshgair EBagchi STorres-Arias SDavis J(2024)Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00215(1160-1178)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00215
Show More Cited By

Index Terms

Automatic Security Assessment of GitHub Actions Workflows
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories

Recommendations

Mitigating Security Issues in GitHub Actions
EnCyCriS/SVM '24: Proceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability

Collaborative practices have revolutionised the software development process, enabling distributed teams to seamlessly work together. Social coding platforms have integrated CI/CD automation workflows, with GitHub Actions emerging as a prominent ...
A Knowledge-driven Framework for Software Supply Chain Security Analysis
CCEAI '24: Proceedings of the 2024 8th International Conference on Control Engineering and Artificial Intelligence

With the rapid development of the software industry, software supply chains have become increasingly complex and diverse. Critical software domains such as operating systems, databases and web servers extensively adopt open source components, which are ...
Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows
MSR '24: Proceedings of the 21st International Conference on Mining Software Repositories

GitHub's integrated automated workflow mechanism called GitHub Actions promotes the use of Actions as reusable building blocks in workflows. The majority of those Actions are developed in JavaScript and depend on packages distributed through the npm ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

November 2022

121 pages

ISBN:9781450398855

DOI:10.1145/3560835

Program Chairs:
Santiago Torres-Arias
Purdue University, USA
,
Marcela Melara
Intel Corporation, USA
,
Laurent Simon
Google Inc., USA

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2022

CA, Los Angeles, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
956
Total Downloads

Downloads (Last 12 months)446
Downloads (Last 6 weeks)80

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Zhang XMuralee SCherupattamoolayil SMachiry A(2024)On the Effectiveness of Large Language Models for GitHub WorkflowsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664497(1-14)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664497
Schorlemmer TKalu KChigges LKo KIshgair EBagchi STorres-Arias SDavis J(2024)Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00215(1160-1178)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00215
Rahman MBarek MAkter MIslam Riad ARahman MShahriar HRahman AWu F(2024)Authentic Learning on DevOps Security with Labware: Git Hooks To Facilitate Automated Security Static Analysis2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00388(2418-2423)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00388
Reichert BObelheiro R(2024)Software supply chain security: a systematic literature reviewInternational Journal of Computers and Applications10.1080/1206212X.2024.239097846:10(853-867)Online publication date: 19-Aug-2024
https://doi.org/10.1080/1206212X.2024.2390978
Muralee SKoishybayev INahapetyan ATystahl GReaves BBianchi AEnck WKapravelos AMachiry ACalandrino JTroncoso C(2023)ARGUSProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620628(6983-7000)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620628
Ayala JGarcia J(2023)An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories2023 IEEE/ACM 1st International Workshop on Software Vulnerability (SVM)10.1109/SVM59160.2023.00006(6-9)Online publication date: May-2023
https://doi.org/10.1109/SVM59160.2023.00006
Rao NKrishnasubramaniam VWaghamale SSondur SAnsari AIyer SSingh AVijayalakshmi M(2023)Data Validation for Eligibility Criteria and Death Benefit Claims for Insurance Policies2023 4th International Conference for Emerging Technology (INCET)10.1109/INCET57972.2023.10170530(1-7)Online publication date: 26-May-2023
https://doi.org/10.1109/INCET57972.2023.10170530
Benedetti GVerderame LMerlo A(2023)A Preliminary Study of Privilege Life Cycle in Software Management Platform Automation Workflows2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00007(21-28)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00007
Decan AMens TOnsori Delicheh H(2023)On the outdatedness of workflows in the GitHub Actions ecosystemJournal of Systems and Software10.1016/j.jss.2023.111827206:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111827

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents